[ANSWERED] Help with a malware/virus written in VBScript?

edited January 2023 in General

Hi hi,

Someone/group hacked a .gov.ly website in my country and started using it to spread malwares/virus by injecting images with VBScript.

I, using linux of course, downloaded the images and opened them in a text editor and they all have the same script [PASTE LINK HERE].

From my basic programming background, I figured it creates powershell files and writes something into them, probably encoded using strings to bytes converters or something. Then I tried the very long string which I guess it decodes into a hex/binary code that I didn't know how/where to go after...

Any help getting an IP or domain or something would greatly help.

I can send you the infected image URL privately if you want, but it's not much difference than what's in the paste above.

Thank you for your time.

Thanked by (1)localhost

Comments

  • i am interested to learn this

    may i ask how did you extract the script from the image?

    Thanked by (1)localhost
  • skorupionskorupion Services Provider
    edited January 2023

    This script appears to be a PowerShell script that performs a series of tasks. It performs several operations including creating directories, writing text files, loading assemblies, invoking methods from the loaded assemblies, and starting a VBS script.

    It starts by killing several processes and then it creates a directory called "WindowsHost" in the "C:\ProgramData" directory.
    It then creates a batch file called "wWsHYEaeTcWD.bat" in the "C:\Users\Public" directory, which contains a command to execute a PowerShell script called "xEyoIZuAfM.ps1" located in the "C:\Users\Public" directory.

    The script then creates a VBS script called "HDWxJwBqipd.vbs" in the "C:\ProgramData\WindowsHost" directory, which runs the previously created batch file.

    The script then modifies the registry so that the VBS script is run on startup.
    It then defines a function called "jDgxXCyHGd" which takes an array of bytes as input and decompresses the bytes with gzip.

    It then calls this function twice and assigns the return value to two different variables, $apvdKkIGX, and $sbtHDkzp, both of which are arrays of bytes.
    It then loads an assembly into the current application domain from the byte array stored in the $apvdKkIGX variable.

    It then uses the assembly that was loaded to check if two files, $ZdLWCaQrMJvvBKJrBRmvaT, and $BBzKuuGyDylBLOxQJQNkPDH, exist on the file system. If either file exists, it invokes the "Execute" method of a type named "order.yes" in the loaded assembly and passes it the path of the file and the byte array stored in the $sbtHDkzp variable as arguments.

    Finally, it writes the content of the $KCyGfjyEJvGyBYOxwwYKS variable to a file called "xEyoIZuAfM.ps1" in the "C:\Users\Public" directory, and after a delay of 10 seconds, it uses the Start command to execute the "HDWxJwBqipd.vbs" script in the "C:\ProgramData\WindowsHost" directory.

    It's difficult to know the exact purpose of this script without more context, but it appears that it's trying to perform various operations, including creating directories, writing text files, loading assemblies, invoking methods from the loaded assemblies, modifying the registry and starting a VBS script.
    It also uses functions and several variables to perform these operations.
    It's also worth noting that the script contains some obfuscation techniques, such as replacing certain characters in the string, concatenation of strings, and the use of non-printable characters.

    This response was made by ChatGPT. I'll try and tinker some more with chatGPT to get you some more useful information.

    Crunchbits Technical Support, Technical Writer, and Sales
    Contact me at: +1 (509) 606-3569 or [email protected]

  • JabJab Senpai
    edited January 2023

    Have you tried simplest solution like https://www.virustotal.com/ or https://www.filescan.io/ that has sandbox thing enabled and shows all the connections + files created? :P

    Haven't bought a single service in VirMach Great Ryzen 2022 - 2023 Flash Sale.
    https://lowendspirit.com/uploads/editor/gi/ippw0lcmqowk.png

  • edited January 2023

    That whole thing is just the dropper for the actual embedded payload, that long byte strings you found are GZIP compressed .NET assemblies.

    Here's the source via decompilation: https://paste.ee/p/x1zOj Disclaimer: DO NOT FUCKING RUN in case it wasn't obvious enough

    Windows Defender says it's: Trojan:Script/Wacatac.H!ml

    The domain in the source code is: 2_5_2_5_._l_i_b_y_a_2_0_2_0_._c_o_m_._l_y

    Doesn't seem too fancy, just fires HTTP requests to the C&C and probably downloads more garbage.

    EDIT: it's Njrat

    Thanked by (2)Abdullah jmaxwell
  • edited January 2023

    @ehab said:
    i am interested to learn this

    may i ask how did you extract the script from the image?

    just downloaded the photo and opened it using a text editor. it wasn't hidden.

    @skorupion said:
    This response was made by ChatGPT. I'll try and tinker some more with chatGPT to get you some more useful information.

    Wow, it's very well written and kinda scary how mostly accurate that AI has analyzed the code...

    @Jab said:
    Have you tried simplest solution like https://www.virustotal.com/ or https://www.filescan.io/ that has sandbox thing enabled and shows all the connections + files created? :P

    Sadly it didn't give a deep report. only a threat was found by 3 anti-virus.

    @jmgcaguicla said:
    That whole thing is just the dropper for the actual embedded payload, that long byte strings you found are GZIP compressed .NET assemblies.

    Here's the source via decompilation: https://paste.ee/p/x1zOj Disclaimer: DO NOT FUCKING RUN in case it wasn't obvious enough

    Windows Defender says it's: Trojan:Script/Wacatac.H!ml

    The domain in the source code is: 2_5_2_5_._l_i_b_y_a_2_0_2_0_._c_o_m_._l_y

    Doesn't seem too fancy, just fires HTTP requests to the C&C and probably downloads more garbage.

    EDIT: it's Njrat

    THANK YOU SO MUCH! <3
    Wow, that report on the twitter thread is kinda disheartening knowing that such attacks have been going since 2016 using government websites and servers...
    You greatly helped us kinda getting a hold on these little POS!

    Thanked by (1)ehab
  • Thanked by (1)ehab
  • Compromising government sites and using for spreading malware is a popular tactic. Have seen a lot of similar garbage from *.pr.gov

    Why?

  • AuroraZeroAuroraZero ModeratorHosting Provider

    @jmaxwell said:
    Compromising government sites and using for spreading malware is a popular tactic. Have seen a lot of similar garbage from *.pr.gov

    Stands to reason most governments are parasites anyways.

    Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?

  • What's the penalty in Libya for hacking the Gibson? I think I know the answer.

  • AuroraZeroAuroraZero ModeratorHosting Provider

    WHy would Libya do that? ZeroCool and Acid Burn did that in the '90s. That is old news now.

    Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?

  • AI analyzes a virus script like a little boy enumerates his socks in a basket :)

Sign In or Register to comment.